Skip to content

Add systemd service example#125

Open
davispuh wants to merge 1 commit into
bitmagnet-io:mainfrom
davispuh:service
Open

Add systemd service example#125
davispuh wants to merge 1 commit into
bitmagnet-io:mainfrom
davispuh:service

Conversation

@davispuh

@davispuh davispuh commented Jan 28, 2024
edited
Loading

Copy link
Copy Markdown

If you want to run it 24/7 as proper systemd service then it's useful to have .service. I tried to harden it as much as possible, only few things could be tweaked more like SystemCallFilter but this already should be good enough.

$ systemd-analyze security bitmagnet
[...]
→ Overall exposure level for bitmagnet.service: 1.2 OK 🙂 (lower number means most secure, 10 is most unsafe)

And here's bonus nginx config

upstream bitmagnet {
    server 127.0.0.1:3333;
}

server {
    listen 443 ssl;

    server_name bitmagnet.example.org;

    access_log  /var/log/nginx/bitmagnet.access.log;
    error_log   /var/log/nginx/bitmagnet.error.log;

    # Consider using some auth if you want allow non-local
    allow 127.0.0.0/8;
    allow ::1/128;
    deny all;

    ssl_certificate "/etc/letsencrypt/live/bitmagnet.example.org/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/bitmagnet.example.org/privkey.pem";
    ssl_trusted_certificate "/etc/letsencrypt/live/bitmagnet.example.org/chain.pem";

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000" always;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "default-src 'self' https:; object-src 'none; frame-src 'none'; base-uri 'self'; img-src https: data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; connect-src https:; sandbox allow-same-origin allow-scripts allow-downloads; trusted-types; require-trusted-types-for 'script';

    location / {
        proxy_pass http://bitmagnet;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

}

@mgdigital

mgdigital commented Jan 28, 2024

Copy link
Copy Markdown
Collaborator

Thanks for this @davispuh . I'm open to adding this, though might it be better in the form of a tutorial for the website? I'd want to do a bit of testing first, which will require some set-up work for me as I'm running through Docker. I will get round to this when I can unless someone can beat me to it and do an independent review of this....

@davispuh

davispuh commented Jan 28, 2024

Copy link
Copy Markdown
Author

though might it be better in the form of a tutorial for the website?

It can be useful for both. For packaging use case only actual copyable file is usable since trying to extract it out doesn't seem good idea and then everyone would just have their own copies which wouldn't get updated hence copyable upstream file is better.

@davispuh davispuh mentioned this pull request Jan 28, 2024
Closed
@hardKOrr

hardKOrr commented Feb 21, 2024

Copy link
Copy Markdown

I created a bitmagnet LXC and used this service file (updating user/group) and have been running successfully for a couple days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@davispuh @mgdigital @hardKOrr